PSD2 and its bylaws

Security, Authorization and the Future

PSD2 opened up the financial sector to a myriad private
fintechs, rushing in to take advantage of banks and credit unions' APIs now being made available to
them. While this boom in the third-party financial services provider market has
all the hallmarks of being a gift to both customers and financial institutions,
there are certain issues related to fraud prevention, general security and risk
management that need to be addressed before a fintech can take advantage of
open banking.

Who is
Who and Who Does What?

Newcomers must undertake certain steps to be authorized to work under PSD2 (or reauthorized, if it's a preexisting company), including proving their operational and security risk management is not only in place but also satisfies the guidelines as set by EBA, the European Banking Authority. So who must make sure they are PSD2 compliant? Banks and
credit unions, of course. But these requirements are also applicable to various
payment institutions and payment initiation service providers, e-money issuers
and agents, building societies but also all consumer and trade bodies, as well
as retailers, micro-enterprises and, of course, anyone involved with open
banking initiatives.

EBA PSD2 guidelines present clear technical standards for security measures vital to open banking, such as strong customer authentication as well as open standards of communication.

Communication is, of course, key: there needs to be a secure
and effective exchange of information between various third-party providers and
customer account providers, as well a channel of communication that keeps the
customer informed of all goings on and allows them to provide or revoke
consent.

Safe as
Houses

The security measures PSD2-compliant fintechs must have in place need to be able to detect, react to and prevent a spectrum of potential threats to both the company's premises and its data center's physical location.

They also need to apply the same actions to company's online services, from user data gathering to payments. And
while physical location security is an important segment, priority is given to information
security.

This proritization of information is, of course, perfectly understandable since the main
area PSD2 affects is online banking and online payments services. But it also brings its own sets of concerns: for example, increases in online fraud prevention require banks and fintechs to ask for more information from their customers for verification purposes.

But it also brings its own sets of concerns: for example, increases in online fraud prevention require banks and fintechs to ask for more information from their customers for verification purposes.

Authorization Is the
Way

Requirements are many and include management providing proof
of professional competence, detailed information on fintech’s business model
and business plan, and detailed documentation of the company's security
standards when handling sensitive customer and account data, as well as process
documentation for crisis management and customer complaints handling.

There is, however, another option: a fintech could join a
provider that already has an appropriate authorization. This would allow the
newcomer company to comply with all the requirements and avoid the complicated
application procedure, jumping into the open banking arena headfirst.

Security
is Not the End

Information security is not the only requirement for the
stamp of EBA approval. There is also the assessment of a fintech's operational
(that is, not IT-related) risk management. During this process, the auditor will
take stock of the company's risk management and mitigation measures and these
assessments, both operational risk and security risk assessments, should
ideally be performed on a regular basis. In essence, we're talking about yearly
checkups here, just like you visiting your doctor.

While the various technical standards required by the EBA affect the security
of both user data and their transactions, they also provide all PSD2-authorized
third-party providers with an excellent platform that allows them to compete in
the growing banking and payments services market. There is also the matter of
added value for fintechs' customers, not to mention the fact that any upheavals
and disruptions in any field always lead to innovation. In this case, to
various improvements in payment functionality and security, as well as to
additional services.